What is PsExec ?

PsExec is a command-line tool that allows users to run programs on remote systems. It can be used to execute remote commands, scripts, and applications on remote systems, as well as to launch GUI-based applications on remote systems.

PsExec uses the Microsoft Windows Service Control Manager (SCM) to start an instance of the service on the remote system, which allows the tool to run the specified command or application with the account’s privileges of the service account on the remote system.

In order to establish the connection, the remote user should have access privileges to the target machine and provide the name of the target machine, as well as his username and password in the following format:

PsExec -s \\MACHINE-NAME -u USERNAME -p PASSWORD COMMAND (the process to be executed following establishing the connection).

What is PsExec used for?

PsExec is a powerful command-line tool used primarily for remote administration and execution of processes on Windows systems. It allows system administrators and security professionals to execute commands or run programs on remote computers in a networked environment. Here are some common use cases for PsExec:

Remote System Administration: PsExec enables administrators to remotely manage and administer multiple Windows systems without the need for physical access. It allows them to execute commands, run scripts, install software, modify system configurations, and perform various administrative tasks on remote machines from a central location.

Software Deployment and Updates: With PsExec, administrators can remotely deploy software packages, patches, or updates across multiple computers simultaneously. This feature is particularly useful in large-scale environments where manual installation on individual systems would be time-consuming and impractical.

Troubleshooting and Diagnostics: PsExec can be used to remotely diagnose and troubleshoot system issues. Administrators can execute diagnostic tools, access event logs, retrieve system information, or run troubleshooting scripts on remote systems to identify and resolve problems without being physically present.

Security Auditing and Patch Management: Security professionals often employ PsExec to conduct security audits, vulnerability assessments, or penetration testing exercises. It allows them to remotely execute security scanning tools, verify patch levels, and assess the security posture of remote systems within the network.

Incident Response and Forensics: During incident response investigations, PsExec aids in remotely accessing compromised systems for analysis and evidence gathering. It allows security analysts to execute commands or run forensics tools on compromised machines without directly interacting with them, minimizing the risk of further compromise or data loss.

Red Teaming and Lateral Movement: In red teaming exercises, where organizations simulate real-world attacks to test their security defenses, PsExec is often used for lateral movement within the network. Attackers can use PsExec to execute commands or run malicious payloads on compromised systems, moving laterally and escalating privileges to gain unauthorized access to sensitive resources.

Automation and Scripting: PsExec can be integrated into scripts or batch files, enabling automation of repetitive tasks across multiple systems. It provides a means to execute scripts remotely, allowing administrators to orchestrate complex operations or perform regular maintenance tasks efficiently.

However, it’s important to note that PsExec can be a powerful tool in the hands of attackers as well, since it allows them to execute arbitrary code on remote systems, potentially leading to privilege escalation and lateral movement in the network. Therefore, it is important to use PsExec securely and to limit the use of PsExec to trusted users and systems.

Is PsExec a PowerShell?

PsExec is not a PowerShell. It is a command-line tool that allows users to run programs on remote systems.

PowerShell, on the other hand, is a task automation and configuration management framework developed by Microsoft, which includes a command-line shell and associated scripting language built on the .NET framework. PowerShell can be used to automate various tasks and perform complex operations on local or remote systems.

While both PsExec and PowerShell can be used to perform similar tasks, such as running commands on remote systems, they are different tools and have different capabilities. PsExec is designed to execute a single command or application on a remote system, while PowerShell is a more powerful framework that can be used to automate and manage various tasks, including running commands and scripts on remote systems.

Therefore, depending on the scenario, one tool may be more appropriate than the other.

How PsExec Works

PsExec works by leveraging its unique architecture and communication protocols to enable remote execution on Windows systems. Let’s explore the key aspects of how PsExec operates:

Architecture and Communication

PsExec follows a client-server architecture. The client-side component, executed on the local system, establishes a connection with the server-side component running on the remote system. This connection enables the transmission of commands and data between the two systems.

PsExec uses the Server Message Block (SMB) protocol, specifically the SMB file sharing and named pipe mechanisms, to establish communication channels with remote systems. This allows for secure and reliable communication between the client and server components.

Authentication and Security

PsExec employs authentication mechanisms to ensure secure access to remote systems. It supports various authentication methods, including using a username and password, or authentication via NTLM (NT LAN Manager) or Kerberos.

To enhance security, it is crucial to follow best practices for authentication when using PsExec. These practices include utilizing strong and unique passwords, implementing multi-factor authentication where possible, and adhering to the principle of least privilege by granting only necessary permissions to PsExec users.

File and Registry Access

PsExec facilitates file and registry access on remote systems, allowing administrators to perform tasks such as copying files, executing scripts, or modifying registry settings. When executing commands remotely, PsExec temporarily copies the required executable or script to the remote system’s temporary directory before execution.

It’s important to consider potential security considerations when using PsExec for file and registry operations. For example, administrators should exercise caution when transferring sensitive files and ensure that appropriate access controls are in place to prevent unauthorized access or modification of critical system files and registry entries.

How to Install and Set Up PsExec

Installing and setting up PsExec is a straightforward process that involves the following steps:

Downloading PsExec

To install PsExec, you can visit the official Microsoft website or trusted software repositories to download the PsExec executable file. Ensure that you download it from a reliable source to avoid any security risks or malware.

Installing PsExec

PsExec does not require a formal installation process. Once you have downloaded the PsExec executable file, you can save it to a directory of your choice on your local system. It is recommended to place it in a location that is easily accessible and included in the system’s PATH environment variable for convenient usage.

Running PsExec and Connecting to a Remote Computer

To connect to a remote computer using PsExec, follow these steps:

a. Open a command prompt or terminal on your local system.

b. Navigate to the directory where you saved the PsExec executable file.

c. To establish a connection with a remote computer, use the following command:

psexec \\remote_computer_name_or_IP -u username -p password command

  • Replace “remote_computer_name_or_IP” with the name or IP address of the remote computer you want to connect to.
  • Replace “username” and “password” with the credentials of an account on the remote computer that has the necessary permissions for the desired operations.
  • Specify the command you want to execute on the remote computer.

d. Press Enter to execute the command. PsExec will establish a connection with the remote computer, authenticate using the provided credentials, and execute the specified command remotely.

e. You will see the output of the executed command in your local command prompt or terminal window.

It’s important to note that the successful connection and execution of commands using PsExec depend on the network connectivity between your local system and the remote computer, as well as the correct authentication credentials and permissions on the remote system.

What are the most common PsExec commands?

PsExec offers several commonly used commands that provide administrators with powerful remote execution capabilities. Here are some of the most common PsExec commands and their functions:

PsExec \remote_computer command:

  • Executes the specified command on the remote computer.
  • Enables administrators to run commands or launch programs remotely.

PsExec \remote_computer -s command:

  • Executes the specified command with system-level privileges on the remote computer.
  • Useful for running commands that require elevated privileges or accessing system resources.

PsExec \remote_computer -u username -p password command:

  • Executes the specified command on the remote computer using the provided username and password for authentication.
  • Allows administrators to run commands with specific user credentials on remote systems.

PsExec \remote_computer -c -f -s -d command:

  • Copies the specified executable file to the remote computer, executes it with system-level privileges, in the background, and without waiting for its completion.
  • Useful for deploying and running programs on remote systems without user interaction.

PsExec \remote_computer -i session_id -d -s command:

  • Executes the specified command in an interactive session with system-level privileges on the remote computer.
  • Helpful for running commands that require interaction or accessing the graphical user interface of the remote system.

PsExec \remote_computer -accepteula -s -c -f script.bat:

  • Copies the specified script file to the remote computer, executes it with system-level privileges, and waits for its completion.
  • Allows administrators to remotely execute scripts for automation or administrative tasks.

These commands represent a subset of the available PsExec commands, each serving a specific purpose in remote administration and execution.

The syntax for PsExec commands is:

psexec \computer[,computer[,..] [options] command [arguments]

  psexec @run_file [options] command [arguments]

PsExec command line options:

\computerThe remote computer to connect to. Use \* for all computers in domain.
@run_fileRun command against computers listed in specified text file.
commandProgram to execute on the remote system.
argumentsArguments to pass to remote program. Use absolute paths.
-aSet CPU affinity. Comma separate CPU numbers starting at 1.
-cCopy local program to remote system before executing.
-fForce copy over existing remote file.
-vOnly copy if local program is newer version than remote.
-dDon’t wait for remote program to finish.
-eDon’t load user profile.
-iInteract with remote desktop.
-lRun with limited user rights (Users group).
-nConnection timeout in seconds.
-pSpecify password for user.
-rName of remote service to interact with.
-sRun under SYSTEM account.
-uSpecify username for login.
-wSet working directory on remote system.
-xDisplay UI on Winlogon desktop.
-lowRun at low priority.
-accepteulaSuppress EULA dialog.

Is PsExec malware?

PsExec is not malware itself, but it can be used by malware and attackers to perform malicious actions.

PsExec is a legitimate tool that allows users to run programs on remote systems. It can be used for a variety of legitimate tasks such as troubleshooting, deploying software updates and patches, and executing commands and scripts on multiple systems simultaneously.

However, PsExec can also be used by attackers to gain unauthorized access to remote systems and perform malicious actions. For example, an attacker could use PsExec to execute a malicious payload on a remote system, or to move laterally within a network and gain access to sensitive information.

Therefore, it’s important to use PsExec securely and to limit the use of PsExec to trusted users and systems.

How is PsExec Used in Cyberattacks?

The seamless remote access PsExec enables from a source machine to a target machine is intensively abused by threat actors in the course of the lateral movement stage in cyberattacks. This would typically occur after the initial compromise of a patient-zero machine. 

From that point onward, attackers seek to expand their presence within the environment and reach either domain dominance or specific data they are after. PsExec provides them with a seamless and reliable way to achieve that for the following reasons.

How can adversaries use PsExec together with compromised credentials?

By combining compromised user credentials with PsExec, adversaries can bypass authentication mechanisms, gain access to multiple systems, and potentially compromise a significant portion of the network. This approach enables them to move laterally, escalate privileges, and carry out their malicious objectives with a broader impact.

What makes PsExec a tool of choice for lateral movement attacks?

PsExec is often considered a “living off the land” tool of choice for lateral movement attacks due to several key factors:

  1. Legitimate Use: PsExec is a legitimate Microsoft Sysinternals tool developed by Mark Russinovich. It is designed to execute processes remotely on Windows systems, making it a trusted and commonly used tool in many IT environments. Its legitimate use makes it less likely to be flagged by security monitoring systems.
  1. Native Integration: PsExec leverages the Server Message Block (SMB) protocol, which is commonly used for file and printer sharing in Windows networks. Since SMB is a native protocol in Windows environments, the use of PsExec doesn’t typically raise immediate suspicion or trigger security alerts.
  2. Lateral Movement Capabilities: PsExec allows an attacker to execute commands or launch processes on remote systems with valid credentials. This capability is particularly valuable for lateral movement attacks, where an attacker wants to move through a network by compromising multiple systems. By using PsExec, attackers can run commands or deploy malware on remote systems without requiring additional exploits or tools.
  3. Bypassing Network Segmentation: PsExec can traverse network segments, allowing attackers to move laterally between isolated parts of a network. This capability is crucial for attackers seeking to explore and compromise systems that are not directly accessible from their initial entry point.
  4. Evasion of Security Controls: PsExec can be used to bypass security controls, such as firewall rules or network segmentation, by leveraging legitimate administrative protocols. Since PsExec is often allowed within corporate networks, it may not be explicitly blocked or monitored by security solutions, making it an attractive choice for attackers.

It’s important to note that while PsExec has legitimate use cases, its potential for misuse and its presence in the target environment make it an attractive tool for adversaries looking to conduct lateral movement attacks. Organizations should implement strong security measures, such as network segmentation, credential management, and monitoring systems, to detect and prevent unauthorized use of PsExec or similar tools.

What are the advantages of using PsExec in ransomware attacks?

Using PsExec for lateral movement offers several advantages to ransomware actors:

  1. Speed and Efficiency: Instead of encrypting each endpoint individually, which can be time-consuming and increase the risk of detection, using PsExec allows attackers to quickly propagate the ransomware to multiple systems simultaneously. This enables them to maximize their impact and potentially encrypt a large number of endpoints within a short time frame.
  2. Bypassing Local Security Controls: Encrypting each endpoint individually increases the likelihood of triggering security alerts on individual systems. By using PsExec, attackers can bypass local security controls since the execution occurs within the context of a legitimate and trusted administrative tool, making it less likely to raise suspicion.
  3. Wider Network Coverage: Lateral movement with PsExec allows attackers to reach and infect systems that may not be directly accessible from their initial entry point. By moving laterally, they can navigate through network segments and compromise additional systems that may hold critical data or provide them with more control over the network.
  4. Evasion of Endpoint Protection: Traditional endpoint protection solutions often focus on detecting and blocking individual malware samples. By using PsExec to spread ransomware, attackers can bypass these endpoint protections since the deployment of the ransomware is not initiated by a malicious file but rather by a legitimate tool.

Why can’t endpoint protection tools detect and prevent the malicious use of PsExec?

Endpoint protection tools may struggle to detect and prevent the malicious use of PsExec due to several reasons:

  1. Legitimate Tool: PsExec is a legitimate tool developed by Microsoft Sysinternals and is commonly used for legitimate system administration tasks. Endpoint protection solutions generally focus on detecting known malicious files or behaviors, and PsExec falls within the category of trusted tools. As a result, the tool itself may not raise immediate suspicion.
  2. Indirect Execution: PsExec does not directly execute malicious payloads or malware. Instead, it is used as a means to remotely execute commands or deploy files on target systems. Since the execution of malicious activities occurs through a legitimate process (i.e., PsExec), it becomes challenging for endpoint protection tools to distinguish between legitimate and malicious usage.
  3. Encryption and Evasion Techniques: PsExec uses built-in encryption to secure communications between the attacker and the target system. This encryption helps conceal the content of the communication, making it harder for endpoint protection tools to inspect the payload and identify malicious behavior. Additionally, attackers may employ various evasion techniques to further obfuscate their activities, making it difficult for traditional signature-based detection methods to identify PsExec-based attacks.
  4. Attack Customization: Attackers can customize their use of PsExec, such as renaming the tool or modifying its parameters, to evade detection. By altering the characteristics of PsExec or embedding it within other legitimate processes, attackers can bypass static signatures or behavioral heuristics used by endpoint protection tools.
  5. Lack of Contextual Awareness: Endpoint protection tools typically operate at the endpoint level and may not have comprehensive visibility into network-wide activities. They may not be aware of the legitimate administrative tasks or workflows within an organization that involve the use of PsExec. Consequently, they may lack the necessary context to differentiate between legitimate and malicious use.

Why can’t traditional MFA solutions prevent the use of PsExec in lateral movement attacks?

Traditional MFA tools may face limitations in preventing lateral movement using PsExec due to the following reasons:

  1. Lack of MFA Support by Kerberos and NTLM: Kerberos and NTLM are commonly used authentication protocols in Windows environments. However, they do not inherently support MFA. These protocols rely on a single-factor authentication mechanism, typically based on passwords. As PsExec uses the underlying authentication protocols of the operating system, the lack of built-in MFA support makes it difficult for traditional MFA tools to enforce additional authentication factors during lateral movement using PsExec.
  2. Reliance on Agents Prone to Leaving Machines Unprotected: Many traditional MFA solutions rely on software agents installed on endpoints to facilitate the authentication process. However, in the case of lateral movement attacks, attackers can compromise and gain control of systems that do not have the MFA agent installed or running. These unprotected machines can then be used as launching pads for PsExec-based lateral movement, bypassing the MFA controls.
  3. Trust in Validated Sessions: Once a user has authenticated and established a session on a system, subsequent activities performed within that session, including PsExec commands, may not trigger re-authentication or MFA challenges. This is because the established session is considered validated, and MFA is typically not re-evaluated during the session. Attackers can take advantage of this trust to exploit legitimate sessions and execute PsExec commands without encountering additional MFA challenges.

PsExec Can Be Dangerous: How PsExec is being used in Ransomware Attacks

PsExec has gained popularity among system administrators and security professionals for its legitimate and efficient remote management capabilities. However, like many tools, PsExec can also be misused for malicious purposes. In recent years, threat actors have started incorporating PsExec into their ransomware attack strategies, making it a potentially dangerous component of their arsenal.

Within the last five years, the skill barrier has dropped significantly and lateral movement with PsExec is incorporated in more than 80% of ransomware attacks, making protection against malicious authentication via PsExec a necessity for every organization.

Ransomware and PsExec

Ransomware attacks involve malicious actors gaining unauthorized access to systems, encrypting critical data, and demanding a ransom for its release. Previously, attackers often relied on social engineering techniques or exploit kits to gain initial access. However, they have now expanded their tactics by utilizing legitimate tools like PsExec to propagate within compromised networks.

Propagation via PsExec

In a ransomware attack, once threat actors gain access to a single system within a network, they aim to move laterally and infect as many systems as possible. PsExec provides a convenient and efficient means for this lateral movement. Attackers use PsExec to remotely execute ransomware payloads on other vulnerable systems, spreading the infection rapidly across the network.

Advantages for Attackers

By incorporating PsExec into their attack chain, cybercriminals gain several advantages. First, PsExec allows them to execute commands and run malicious payloads silently and remotely, reducing the chances of detection. Second, since PsExec is a legitimate tool, it often bypasses traditional security measures that focus on known malware signatures. This allows attackers to blend in with normal network traffic, making it harder to detect their activities.

Mitigating the Risk

Defending against PsExec-based ransomware attacks requires a multi-layered approach. Here are some important mitigations:

Access Control: Implement strict access controls, ensuring that only authorized users have administrative access to critical systems. Limiting the number of accounts with PsExec privileges can help reduce the attack surface.

Endpoint Protection: Deploy and maintain robust endpoint protection solutions that include behavior-based detection mechanisms. These can help identify and block suspicious activity associated with PsExec usage.

Network Segmentation: Employ network segmentation to limit lateral movement opportunities for attackers. Separating critical systems and restricting access between network segments can help contain the impact of a potential ransomware infection.
Monitoring and Anomaly Detection: Implement comprehensive network monitoring and anomaly detection systems that can flag unusual or unauthorized PsExec usage. Promptly investigating and responding to such alerts can help mitigate potential damage.